[messaging] MITM-safe communication w/o authentication possible?

Ximin Luo infinity0 at pwned.gg
Sun Nov 29 16:15:53 PST 2015

On 30/11/15 00:53, Ethan Heilman wrote:
>> No, this is a common fallacy of "identity-based encryption".
> Correct me if I'm wrong but my understanding is that IBE is slightly
> weaker but more useful than the protocol I described because IBE
> places some trust in the PKG. This trust allows IBE to directly
> connect identities to cryptographic identities. If a fallacy exists it
> is in the protocol I described but not in IBE.

Ah, terminology confusion here. I was using "IBE" in the colloquial sense of "the key is the identity", which is a not-so-uncommon (ab)use of that term.

Yes, in academic literature "IBE" often refers to a system where a central PKG who holds a secret can bind identity<->key information subject to this secret, that others may verify this subject to trusting the PKG.

But note the original question was asking "is it possible to have a MITM-secure internet channel", no strings attached. To answer this question honestly, it's not appropriate to insert conditions in here of the form "subject to trusting the PKG". "Yes, but" means "no".

>> No human user thinks in terms of contacting cryptographic identities. [..]
> I agree with what you argue here. I also agree that the system I
> described does not work for most typical communication use cases but
> the question was:
>> "if it can be possible, _at least theoretically_, to have a MITM-secure internet channel without the use of PKI".
> The answer is both yes it is theoretically possible and yes there are
> atypical but real use cases.
> Am I correct in my understanding that .onion addresses work this way?

Yes, .onion address work in the same way that you described, but they also fall under what I was describing. And in fact, you can do this with *any* cryptography system today - in the UI, just display the certificate/key fingerprint instead of the URL/email-address/jabber-address, and there you go you have a "MITM-secure internet channel", where the software doesn't directly pretend to the user that they're communicating with (something other than a cryptographic key).

In other words, your way of interpreting the question basically ignores the hard problem. Of course, if you ignore the hard problem, then it's "possible".

(To put it another way, "self-authenticating" is a joke. My GPG fingerprint is self-authenticating too. Just go talk to 0x1318efac5fbbdbce, it doesn't matter who that is in real life.... what? no takers?)



More information about the Messaging mailing list